Re: cgd and remote keys
Cem Kayali <cemkayali <at> eticaret.com.tr>
2008-01-02 23:22:09 GMT
Just additional note, it is possible to store /etc/cgd/* content on usb
memory, already tested. You just need to add a line into /etc/fstab.
Although this does not allow you to enable remote reboot, it is much more
secure than storing cgd key on / partition.
Curt Sampson wrote:
> I've been thinking recently about how to add some additional security
> to hosts in less-secure physical locations, where there's a possibility
> they could be stolen. I'd like to use CGD to encrypt parts of the disks,
> but it always seemed rather pointless if the key was in a file on the
> disk, and of course the machine can't reboot unattended if it's not.
> A solution to this did occur to me, however. If I added a new key
> generation method to cgdconfig that made a TCP connection to a given
> host, sent an identifier, and read back a key or passphrase, I could
> have a server (or group of servers) elsewhere on the net supply that.
> That server could refuse to return the information if the request came
> from an unexpected IP address, and I could also disable that key in the
> server if I found out the machine had been stolen (which I would very
> quickly if I were monitoring it via Nagios or whatever).
> For an unecrypted connection, this means that the perpetrator of a back
> bag job would need to either sniff the key/passphrase in an exchange